shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-08 11:27:32 +03:00
Code

selinux: drop mac_selinux_unit_access_check_strv()

Browse Source 
It is not acceptable to load unit files during enable/disable operations
just to figure out the selinux labels. systemd implements lazy loading
for units, so the selinux hooks need to follow it.

This drops the mac_selinux_unit_access_check_strv() helper which
implements a non-acceptable policy check. If anyone cares for that
functionality, you really should pass a callback+userdata to the helpers
in src/shared/install.c which does policy checks on each touched file.

See #1050 on github for more.
This commit is contained in:
David Herrmann 2015-08-27 16:23:47 +02:00
parent 19bee5c367
commit 8faae625dc
3 changed files with 0 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/core/dbus-manager.c
View File

@ -1650,10 +1650,6 @@ static int method_enable_unit_files_generic(
if (r < 0) if (r < 0)
return r; return r;
r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
if (r < 0)
return r;
r = bus_verify_manage_unit_files_async(m, message, error); r = bus_verify_manage_unit_files_async(m, message, error);
if (r < 0) if (r < 0)
return r; return r;
@ -1723,10 +1719,6 @@ static int method_preset_unit_files_with_mode(sd_bus_message *message, void *use
return -EINVAL; return -EINVAL;
} }
r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
if (r < 0)
return r;
r = bus_verify_manage_unit_files_async(m, message, error); r = bus_verify_manage_unit_files_async(m, message, error);
if (r < 0) if (r < 0)
return r; return r;
@ -1766,10 +1758,6 @@ static int method_disable_unit_files_generic(
if (r < 0) if (r < 0)
return r; return r;
r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
if (r < 0)
return r;
scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
r = bus_verify_manage_unit_files_async(m, message, error); r = bus_verify_manage_unit_files_async(m, message, error);
@ -1902,10 +1890,6 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd
if (dep < 0) if (dep < 0)
return -EINVAL; return -EINVAL;
r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
if (r < 0)
return r;
scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes); r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes);

27
src/core/selinux-access.c
View File

@ -289,30 +289,3 @@ finish:
return 0; return 0;
#endif #endif
} }
int mac_selinux_unit_access_check_strv(
char **units,
sd_bus_message *message,
Manager *m,
const char *permission,
sd_bus_error *error) {
#ifdef HAVE_SELINUX
char **i;
Unit *u;
int r;
STRV_FOREACH(i, units) {
if (is_path(*i))
r = manager_load_unit(m, NULL, *i, error, &u);
else
r = manager_load_unit(m, *i, NULL, error, &u);
if (r < 0)
return r;
r = mac_selinux_unit_access_check(u, message, permission, error);
if (r < 0)
return r;
}
#endif
return 0;
}

2
src/core/selinux-access.h
View File

@ -29,8 +29,6 @@ void mac_selinux_access_free(void);
int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error);
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
#define mac_selinux_access_check(message, permission, error) \ #define mac_selinux_access_check(message, permission, error) \